DNS域名解析服务
本文借鉴于《Linux就该这样学一书》www.linuxprobe.com/basic-learn…
域名解析服务,简单的说就是将域名解析为IP(正向解析)的服务以及将IP解析为域名(反向解析)的服务。互联网中的域名与IP之间的对应关系庞大复杂,因此域名解析服务采取了类似目录树的层次结构来记录域名与IP地址之间的关系,如下图所示。
在执行用户发起的域名查询请求时,有两种方式既递归查询与迭代查询两种。递归查询是指DNS服务器要给用户一个准确的回复,当DNS服务器本地没有信息时,该服务器会查询其他服务器,并将结果返回给用户;迭代查询是指当DNS服务器没有信息时,DNS服务器返回给用户另一个DNS服务器的地址,然后用户再去访问,直到返回查询结果。
安装Bind服务
Bind服务是全球范围内使用最广,最安全可靠且高效的域名解析服务。
yum -y install bind-chroot
主配置文件(/etc/named.conf) 定义bind服务程序的运行
区域配置文件(/etc/named.rfc1912.zones) 用来保存域名和IP地址对应关系的所在位置
数据配置文件目录(/var/named) 保存域名和IP地址真实对应关系的数据配置文件。
修改/etc/named.conf文件
[root@wh ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; 服务监听端口以及地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; 允许查询的IP
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
修改/etc/named.rfc1912.zones
[root@wh ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "linux.com" IN { 正向解析,linux.com域
type master; master
file "linux.com.zone"; 数据文件名
allow-update { none; }; 允许更新的IP
};
zone "180.168.192.in-addr.arpa" IN { 反向解析 192.168.180.0网段
type master; master
file "180.168.192.arpa"; 数据文件名
allow-update { none; }; 允许更新的IP
};
编写/var/named文件
[root@wh ~]# cat /var/named/linux.com.zone
$TTL 1D
@ IN SOA linux.com. root.linux.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS wh.linux.com. 记录服务器域名
wh IN A 192.168.180.128 将wh.linux.com解析问192.168.180.128
wh2 IN A 192.168.180.129
修改完成后,将服务器DNS改为服务器自身IP,然后利用nslookup(利用yum安装bind-utils)检验。 如下所示
[root@wh ~]# nslookup
> wh.linux.com
Server: 192.168.180.128
Address: 192.168.180.128#53
Name: wh.linux.com
Address: 192.168.180.128
